Shulou(Shulou.com)06/02 Report--

This article mainly explains "how to strengthen the environmental security of PHP". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how to reinforce the environment with PHP".

1. Enable security mode for PHP

The security mode provided by PHP environment is a very important embedded security mechanism. PHP security mode can effectively control some functions in PHP environment (such as system () function) and control the permissions of most file operation functions. At the same time, some key files are not allowed to be modified (for example, / etc/passwd). However, the default php.ini profile does not enable safe mode.

You can enable PHP security mode by modifying the php.ini configuration file:

Safe_mode = on2. User group security

When you enable safe mode, if the safe_mode_gid option is turned off, the PHP script can access the file, and users of the same user group can access the file.

Therefore, it is recommended that you set this option to off:

Safe_mode_gid = off

Note: this option parameter applies only to the Linux operating system.

If you do not make this setting, you may not be able to manipulate the files in the server Web site directory.

3. Home directory of executor in safe mode

If you have enabled safe mode and want to execute certain programs, you can specify the home directory where the program needs to be executed, such as:

Safe_mode_exec_dir = / usr/bin

In general, if you do not need to execute any program, it is recommended that you do not specify the directory where the system program is executed. You can specify a directory, and then copy the programs you need to execute to this directory, for example:

Safe_mode_exec_dir = / temp/cmd

However, it is more recommended that you do not execute any programs. In this case, you only need to point the execution directory to the web directory:

Safe_mode_exec_dir = / usr/www

Note: the path to the execution directory is based on your actual operating system directory path.

4. Include files in safe mode

If you need to include some public files in safe mode, you only need to modify the following options:

Safe_mode_include_dir = / usr/www/include/

In general, the files included in the PHP script are written in the program and can be set up according to your specific needs.

5. Control the directories that can be accessed by PHP scripts

Using the open_basedir option, you can control that PHP scripts can only access specified directories, which prevents PHP scripts from accessing files that should not be accessed, and reduces the harm of phpshell to some extent. In general, it can be set to only access the site directory:

Open_basedir = / usr/www6. Turn off the hazard function

If you enable safe mode, you do not need to set function prohibition, but for security reasons, it is recommended that you do so. For example, if you do not want to execute PHP functions that execute commands, including system (), and functions such as phpinfo (), which can view PHP information, you can disable these functions with the following settings:

Disable_functions = system, passthru, exec, shell_exec, popen, phpinfo, escapeshellarg, escapeshellcmd, proc_close, proc_open, dl

If you want to disable operations on any files and directories, you can turn off the following file-related operations.

Disable_functions = chdir, chroot, dir, getcwd, opendir, readdir, scandir, fopen, unlink, delete, copy, mkdir, rmdir, rename, file, file_get_contents, fputs, fwrite, chgrp,chmod, chown

Note: only some of the commonly used file handling functions are listed in the above settings, and you can also combine the above execution command functions with these file handling functions to resist most of the phpshell threats.

7. Turn off the disclosure of PHP version information in the HTTP header

To prevent hackers from getting information about the PHP version on the server, you can prevent this information from being leaked in HTTP premium content:

Expose_php = off

After this setting, hackers will not be able to see the version information of PHP when they execute telnet 80 to try to connect to your server.

8. Turn off registering global variables

Variables submitted in the PHP environment, including those submitted using the POST or GET commands, are automatically registered as global variables and can be accessed directly. This is very insecure for your server, so it is recommended that you turn off the option to register global variables and prohibit the registration of submitted variables as global variables.

Register_globals = off

Note: this option parameter has been removed in versions later than PHP 5.3.

Of course, if you set this up, you need to take a reasonable approach when getting the corresponding variable. For example, to get the variable var submitted by the GET command, you need to use the $_ GET ['var'] command to get it, which you need to pay attention to when designing PHP programs.

9.SQL injection protection

SQL injection is a very dangerous problem, which causes the backend of the website to be invaded and the entire server to fall.

The magic_quotes_gpc option is off by default. If this option is turned on, PHP will automatically convert requests submitted by users for SQL queries (for example, convert'to\', etc.), which is very useful in preventing SQL injection attacks, so it is recommended that you set this option to:

Magic_quotes_gpc = on

Note: this option parameter has been removed since PHP 5.4.0.

Therefore, it is best to use PDO preprocessing to handle SQL queries.

10. Error message control

In general, PHP environments will have error messages when they are not connected to the database or in other cases. The error messages may contain information such as the current path of the PHP script or the SQL statement of the query. It is not safe to expose such information to hackers, so it is recommended that you prohibit this error message:

Display_errors = Off

If you do want to display an error message, be sure to set the level at which it is displayed. For example, only the error message above the warning is displayed:

Error_reporting = E_WARNING & E_ERROR

Note: it is strongly recommended that you turn off the error message.

11. Error log

It is recommended that you record the error message after turning off the error message, so as to find out the cause of the abnormal operation of the server:

Log_errors = On

At the same time, you need to set the directory where the error log is stored. It is recommended that you store the PHP error log in the same directory as the Apache log:

Error_log = / usr/local/apache2/logs/php_error.log

Note: this file must be set to allow Apache users or user groups to have write permissions.

The most important thing is to upgrade the system patch and upgrade the PHP version.

At this point, I believe you have a deeper understanding of "how to strengthen the environmental security of PHP". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.